Keep An Eye On Those Shiny, New Mobile Devices!

As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers create a “culture of compliance and awareness” and to protect patients’ Protected Health Information (“PHI”). While the material is focused on health care professionals, the information is also applicable to group health plan professionals and their business associates who use mobile devices to store and transmit PHI in connection with administration of group health plans.

In December 2012, HHS launched a new initiative called Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. HHS also launched an educational webpage on safeguarding PHI on mobile devices. The website includes five YouTube videos describing common compliance challenges with mobile devices. The website also includes helpful resources that can be used to supplement HIPAA compliance training for employees of covered entities (and their business associates). HHS’s educational website, videos and resources are available at www.HealthIT.gov/mobiledevices. HHS cautions that these resources are only informational and do not guarantee compliance with HIPAA or other applicable laws.

By way of summary, HHS’s recommends the following five step plan that organizations can use to manage mobile devices:

DECIDE: The health care provider must decide whether mobile devices will be used to access, receive, transmit, or store patient’s health information or be used as part of the organization’s internal networks or systems (e.g., Electronic Health Records system).

ASSESS: The health care provider must consider how mobile devices affect the risks (threats and vulnerabilities) to the PHI that the health care provider holds.

Regardless of whether the mobile device is personally owned and used at work (“bring your own device” or “BYOD”) or provided by the organization, a mobile device is susceptible to PHI privacy and security risks. A mobile device can be lost or stolen. An employee may inadvertently download viruses or other malware. An employee may use a mobile device on an unsecured Wi-Fi network and may unintentionally disclosure PHI to unauthorized users. HHS’s mobile device educational website offers the following tips to protect and secure health information:

Use a password or other user authentication.

Install and enable encryption.

Install and activate wiping and/or remote disabling.

Disable and do not install file-sharing applications.

Install and enable a firewall.

Install and enable security software.

Keep security software up to date.

Research mobile applications (apps) before downloading.

Maintain physical control of your mobile device.

Use adequate security to send or receive health information over public Wi-Fi networks.

Delete all stored health information before discarding or reusing the mobile device.

Stay Connected

About Proskauer Rose LLP

Proskauer is a leading international law firm focused on creating value. Our roots go back to 1875, when we were founded in New York City. With 725+ lawyers active in virtually every major market worldwide, we are recognized not only for our legal excellence, but also our dedication to client service.

Our clients include many of the world’s top companies, financial institutions, investment funds, not-for-profit institutions, governmental entities and other organizations across industries and borders. We also represent individuals in transactions and other matters.

In addition to New York, we have offices in Beijing, Boston, Chicago, Hong Kong, London, Los Angeles, Paris, São Paulo and Washington, D.C., as well as Boca Raton, Newark and New Orleans.

This Blog/Web Site is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Web Site publisher. The Blog/Web Site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.